Preventing And Detecting Fraud - EY
Preventing anddetecting fraudStrengthening the rolesof companies, auditorsand regulators
IntroductionContents02Introduction03 ho is responsibleWfor preventing anddetecting fraud?03 sing data, forensic,Ubehavioral analysisand training in the auditto detect fraud04How EY is evolvingthe audit to detect fraud05Promoting widercollaboration toeffect change07ConclusionIn his recent report on audit quality and effectiveness in the UK,Sir Donald Brydon described the question of fraud as “the mostcomplex and misunderstood in relation to the auditor’s duties.” 1While there have been a number of major corporate failuresas a result of fraud over the past few decades, it is importantto note that relative to the overall number of listed companiesthe figures are very small. These failures nevertheless reinforcethe need for more to be done to discourage and preventfraud and, where it cannot be prevented, to detect it as soonas possible.We recognize that, as part of ongoing improvement efforts,we need to evolve how we perform our audits to address fraud.Further, we are committed to leading the profession more widelyto address the questions that many stakeholders are askingabout the role of the auditor in fraud detection.We are already making progress. In fact, the actions we aretaking — mandating the use of data analytics for fraud testing,using additional internal and external data and information,using electronic confirmations for audit evidence whereverpossible, developing a proprietary fraud risk assessmentframework, mandating annual fraud training and requiring theuse of our forensic specialists in the audit on a targeted-riskbasis — go beyond currently accepted professional standards.Recognizing that auditors cannot succeed on their own, we setout a call to action to all members of the corporate governanceecosystem, including management, boards, audit committeesand regulators, to work with auditors on these issues, to improveaccountability and, where they do not exist already, to developtheir own initiatives to improve the prevention and detectionof fraud.12Assess, Assure and Inform: Improving Audit Quality and Effectiveness, December 2019,Report of the Independent Review into the Quality and Effectiveness of Audit.Preventing and detecting fraud: strengthening the roles of companies, auditors and regulators
Who is responsible for preventingand detecting fraud?The prevention and detection of fraud within a companyis primarily the responsibility of management under theoversight of those charged with the governance. Alongwith other members of the corporate governance andreporting ecosystem, auditors also play an important rolein detecting material fraud.Currently, auditors are responsible for providingreasonable assurance to shareholders that the financialstatements, taken as a whole, are free from materialmisstatement, whether caused by fraud or error. Publicopinion in many places though indicates that auditors areexpected to play a role that extends beyond providing thisreasonable assurance.2Using data, forensic, behavioral analysisand training in the audit to detect fraudNew opportunities to catch fraudsters are presentingthemselves. Companies have never been as data-richas they are today, potentially providing entirely newopportunities to detect material frauds through datamining, analysis and interpretation. Auditors are ideallyplaced to do this.Auditors are already increasingly using data analytics toidentify unusual transactions and patterns of transactionsthat might indicate a material fraud. At the same time,auditors still face challenges when it comes to acquiringand analyzing the relevant data from companies, eitherdue to systems infrastructure, formatting issues, or dataprivacy rules.Technology is not a panacea: an important humanelement also comes into play. There is an opportunityfor all involved, management and boards, auditors andregulators, to focus more on corporate culture andbehaviors to support fraud detection. The fraud triangle,3a generally accepted model used to consider the likelihoodof fraud risk, holds that three factors (opportunity,pressure and rationalization) provide the environment23for a fraud to occur. We believe that developments intechnology and research on human behaviors couldenhance an assessment of the pressureand rationalization elements. These results could feedinto a fraud risk assessment process. For example,consideration of the fraud triangle could in the futurebe part of a company's risk management and compliancesystem, and audit firms could deploy professionals withdifferent skills to look at all three factors (opportunity,pressure and rationalization) to enhance the ability todetect fraud. We would welcome a dialogue with allstakeholders to explore opportunities in this area.Auditors are already increasinglyusing data analytics to identifyunusual transactions and patternsof transactions that might indicatea material fraud.Closing the expectation gap in audit, ACCA, May 2019, summarizing the results of survey of 11,000 people across 11 different countries.Donald R Cressey, Other People’s Money, Montclair: Patterson Smith, 1973. Explains how fraud is more likely to take place when there is an opportunity tocommit the fraud in a concealed way (e.g., where there is a flattened management structure or limited approval processes); there are pressures (e.g., to appearto meet earnings to sustain investor confidence or personal financial problems); rationalization where the perpetrator justifies their actions to feel they areacceptable (e.g., “I need it more than they do”).Preventing and detecting fraud: strengthening the roles of companies, auditors and regulators3
There are also opportunities to boost auditors’professional skepticism and moral courage througheducation and training in topics such as behavioralscience, including the concepts of conscious andunconscious bias. These opportunities could haveprofound implications for auditor education andqualifications, as well as standards and audit regulationin the future.The use of forensic specialists in the audits of publicinterest entities may become mandatory in the future.In the UK, Sir Donald Brydon’s review of audit hassuggested that forensic skills and fraud awarenessshould be part of the formal qualifications and continuingprofessional development for all auditors. EY supportsthat recommendation, and as noted, is alreadymoving forward with enhanced procedures designedto detect fraud.How EY is evolvingthe audit to detect fraudWhere there is an incident of fraud, we seek tounderstand what we can learn from it to furtherenhance audit quality — regardless of whether theaffected business has been audited by us or anotherfirm. Drawing on both our skilled talent pool and ourstate-of-the-art technologies, we are developing ourauditing process to systematically go beyond standardpractice by: Mandating the use of data analytics for fraud testingin audits for all listed entities globally to enhance frauddetection capabilities and further develop professionalskepticism. We are already rolling out an approach touse data analytics throughout the audit process whichwill further bolster our ability to detect fraud.Where there is an incidentof fraud, we seek to understandwhat we can learn from it tofurther enhance audit quality.4 Using additional internal and external data andinformation to enable more nimble responses toexternal risk indicators, such as short sellers andwhistleblowers. Improving access to news andsocial media information will also assist in deepeningour independent and objective point of view, which iscritical in serving the public interest. Using electronic confirmations for audit evidencewherever possible, moving in time to matchingcompanies’ records of banking transactions with thoseprovided to EY directly by banks. Developing a proprietary fraud risk assessmentframework for use with audit committees and thosecharged with governance. Mandating annual fraud training for all auditprofessionals that incorporates the experiencesof our forensic professionals. Requiring the use of our forensic specialists in theaudits on a targeted-risk basis to assess potentialopportunities for fraud.Preventing and detecting fraud: strengthening the roles of companies, auditors and regulators
EY will also continue to work with boards, auditcommittees, standard setters, regulators and otherparties in the corporate governance and reportingecosystem to strengthen fraud detection. For example,in the US through the Center for Audit Quality, EY workswith the Anti-Fraud Collaboration, a combined effortwith Financial Executives International, the NationalAssociation of Corporate Directors and the Institutefor Internal Auditors. The Anti-Fraud Collaborationtakes collective action to improve financial fraudrisk management.Outside the US, EY is actively involved in efforts todetermine how professional standards for auditorsand others in the financial reporting ecosystem can beimproved to aid fraud detection. For example, we arecontributing to the International Auditing and AssuranceStandards Board consultation, as well as a numberof anti-fraud related debates in the EU, the UK, India,the Netherlands and South Africa, to name but a few.Promoting wider collaborationto effect changeWhen a fraud extends to a broad network acrossmanagement and third parties, it can take more than anormal audit to find the evidence. So, what can be doneto detect fraud as early as possible or even prevent it?We firmly believe that this goes far beyond the auditingprofession: we cannot succeed on our own. Large-scalefraud is mostly very well thought through and verydifficult to detect. Auditing is an important check, butit is not the only one. Nor should it be, if we are tomaximize the number of opportunities to prevent ordetect fraud as efficiently as possible. In this regard,we believe adopting a “three lines of defense” approachas recently coined by the European Commission is useful:namely (1) corporate governance, (2) the auditor, and(3) capital markets supervision.In this regard, we believe the following areas are ripefor exploration to drive better prevention or detectionof frauds. It is important to state that in some casesthese areas draw on best practices or requirementsfrom different countries around the globe, but we believethe public interest would be better served if they wereapplied more generally to public interest entities.To maximize the number ofopportunities to prevent or detectfraud, we believe the “three linesof defense” approach will be useful.Preventing and detecting fraud: strengthening the roles of companies, auditors and regulators5
Promoting wider collaborationto effect change (Continued)1 Corporate governance1.1. Public interest entities should have a system ofstrong internal controls over financial reportingthat includes fraud risk specifically. Such a systemwould set out clear and specific roles for eachstakeholder (e.g., management, board, auditcommittee and internal audit), including, whererelevant, certification and reporting requirements.According to findings by the Association ofCertified Fraud Examiners, a lack of internalcontrols could contribute to nearly one thirdof all frauds.41.2. For public interest entities, management anddirector certifications on the content of financialstatements as well as the internal controlsover financial reporting should be explored.There should be meaningful consequences forinappropriate certifications. In countries wherecertifications are already required, this has led togreater understanding by management and boardsof the control environment and detailed work toensure that appropriate internal controls are inplace and operating effectively.1.3. Systems and controls are not the only protectionsagainst fraud. Culture and incentives also play arole. Companies could do more to measure andoversee both these elements. Whether or notthere is a role here for external auditors is opento debate — internal audit or other assuranceproviders may be better placed to give boardscomfort about the corporate culture and influenceof incentives. That said, as we explain above, therecould be opportunities to enhance companiesand their auditor's ability to assess both pressureand rationalization and feed the results into theirfraud risk assessment processes. Audit firms coulddeploy professionals with different skills to look atthe three sides of the fraud triangle (opportunity,pressure and rationalization) to enhance the abilityto detect fraud.45661.4. All actors in the corporate governance chain, includingauditors, should have strong whistleblower programsin place that both encourage and protect those whomake reports.Where we have seen similar measures implemented,for example, in the Sarbanes-Oxley Act in theUSA, they have led to better accountability ofmanagement and those charged with governanceover the financial reporting process, improvementsin audit quality, decreased severity of restatementsand increased investor confidence. It has also beenobserved by regulators and other key participantsthat the overall benefits of higher valuation premiumsand a relatively lower cost of capital have outweighedthe associated additional compliance cost.2 The auditor2.1. Auditing standards should be reviewed to provideauditors with a stronger framework to detect fraud.Such a review should examine matters like materiality,level of skepticism, use of forensic specialists,internal controls, access to and use of culture andincentives’ assessments, discussions with auditcommittees, and public reporting.It is helpful in this regard that the InternationalAuditing and Assurance Standards Board5 and the UKFinancial Reporting Council6 have both recently starteda review of the auditor's role in fraud detection.2.2. Separately to improve fraud prevention and detection,external auditors could be required under an acceptedframework to assess and report on a public interestentity’s internal controls and risk managementprocesses (including how the company monitors andtests compliance) to boards, regulators and the public.This reporting would also give an opinion on thedirectors’ statements referred to in 1.2 above. Overtime, this feedback loop should lead to more effectivecontrols and processes.Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse, Association of Certified Fraud Examiners, 2020.Fraud and going concern in an audit of financial statements, IAASB.Consultation on revised auditing standard for the auditor's responsibilities relating to fraud, FRC.Preventing and detecting fraud: strengthening the roles of companies, auditors and regulators
3 Capital marketsConclusionsupervision3.1. Minimum corporate governance and reportingstandards (including the proposals above) shouldbe required as a precondition for a listing on amajor stock market index.3.2. In many places, auditors already have red-flagobligations to escalate, or determine whetherto escalate, any concerns they have overpotential breaches of laws and regulations thatmay impact the financial statements, to anappropriate authority. Under this approach incertain jurisdictions, auditors are required toescalate further to a nominated regulator if theirconcerns are not addressed by management orthose charged with governance. Where theseobligations already exist, they must be clearlyenshrined in law or regulation — the circumstancesin which auditors have to report should be clearlydefined and the reporting channels should protectgood faith disclosure. Importantly, the regulatorreceiving reports should have a correspondingobligation and the resources to act on theinformation they receive. This is an importantelement of, not a substitute for, the other robustlines of defense delivered by management, thosecharged with governance, auditors and regulatorsas set out in this paper.The evolving external environment, increasinglycomplex business models and the sophisticationof fraudsters requires a reexamination of howtraditional audit procedures approach the riskof fraud. There are clear actions that we asauditors are already taking to evolve the auditto detect fraud. However, if we are to truly tacklethe issue of corporate fraud, actors throughoutthe ”three lines of defense” must work together.Collaboration is key to improving the preventionand detection of fraud, and ultimately protectingthe victims of fraudsters.We recognize that the maturity of local or regionalcorporate governance and regulatory systems needsto be considered when deciding how to progress theareas mentioned above. A full cost-benefit analysiswould also need to be undertaken.Preventing and detecting fraud: strengthening the roles of companies, auditors and regulators7
ContactsMarie-Laure DelarueEY Building a better working worldEY exists to build a better working world, helpingto create long-term value for clients, people andsociety and build trust in the capital markets.EY Global Vice Chair — Assurancemarie-laure.delarue@fr.ey.comEnabled by data and technology, diverse EY teamsin over 150 countries provide trust throughassurance and help clients grow, transformand operate.John KingWorking across assurance, consulting, law, strategy,tax and transactions, EY teams ask better questionsto find new answers for the complex issues facingour world today.EY Americas Assurance Leaderjohn.king@ey.comPeter WollmertEY EMEIA Assurance Leaderpeter.wollmert@de.ey.comMichael WrightEY Asia-Pacific Assurance Leadermichael.wright@au.ey.comEY refers to the global organization, and may refer to one or more,of the member firms of Ernst & Young Global Limited, each of whichis a separate legal entity. Ernst & Young Global Limited, a UK companylimited by guarantee, does not provide services to clients. Informationabout how EY collects and uses personal data and a description of therights individuals have under data protection legislation are availablevia ey.com/privacy. EY member firms do not practice law where prohibitedby local laws. For more information about our organization, pleasevisit ey.com. 2020 EYGM Limited.All Rights Reserved.EYG no. 007947-20GblBMC Agency GA 1016896ED NoneIn line with EY’s commitment to minimize its impact on the environment, thisdocument has been printed on paper with a high recycled content.This material has been prepared for general informational purposes only and is not intendedto be relied upon as accounting, tax, legal or other professional advice. Please refer to youradvisors for specific advice.ey.com
6 Preventing and detecting fraud: strengthening the roles of companies, auditors and regulators 4 Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse, Association of Certified Fraud Examiners, 2020. 5 Fraud and going concern in an audit of financial statements, IAASB. 6 Consultation on revised auditing standard for the auditor's responsibilities relating to fraud, FRC.
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Card Fraud 11 Unauthorised debit, credit and other payment card fraud 12 Remote purchase (Card-not-present) fraud 15 Counterfeit Card Fraud 17 Lost and Stolen Card Fraud 18 Card ID theft 20 Card not-received fraud 22 Internet/e-commerce card fraud los
Handling Debit Card Fraud STRATEGIZE- Debit card fraud and disputes must have a strategy based on evolving fraud. INVENTORY - Inventory all types of debit card fraud and how you mitigate fraud. TRAIN - Train your front line and investigators. DOCUMENT - Clearly document the strategy and fraud management and
Fraud by any other name is still fraud “Relatively few occupational fraud and abuse offenses are discovered through routine audits. Most Fraud is uncovered as a result of tips and complaints from other employees.” Association of Fraud
Investigation Planning and Conducting a Fraud Examination 2016 Fraud Examiners Manual (International) 3.107 The fraud theory approach provides that, when conducting investigations into allegations or signs of fraud, the fraud examiner should make a hypothesis (or theory) of what might have occurred based on the known facts.
Detection of Fraud Schemes Fraud is much more likely to be detected by tips than by any other method. 2012 Association of Certified Fraud Examiners, Inc. 26 Detection of Occupational Frauds 2012 Association of Certified Fraud Examiners, Inc. 27 Why Employees Do Not Report Fraud According to a Business Ethics Study (Association of Certified Fraud Examiners), employees do not .
to the entire field of artificial intelligence. Humans, it seems, know things and do reasoning. Knowledge and reasoning are also important for artificial agents because they enable successful behaviors that would be very hard to achieve otherwise. We have seen that knowledge of action outcomes enables problem-solving agents to perform well in complex environments. A reflex agents could onl
